eleata engages the third-party data processors listed below to operate the Service. Each subprocessor is contractually bound to data-protection obligations consistent with our DPA and GDPR. We will provide subscribers 30 days' notice of any new subprocessor via email and an update to this page.
Current subprocessors
| Subprocessor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| eleata origin server (Argentina) | Validation processing, account database, audit logs, application server | Buenos Aires, Argentina | EU adequacy decision (Commission Decision 2003/490/EC) — no SCCs required |
| Cloudflare, Inc. | DNS, TLS termination, CDN, DDoS protection, Cloudflare Tunnel, Cloudflare Pages | Global (EU-region edge prioritised for EU traffic) and United States | EU SCCs + EU-US DPF certification + EU Data Boundary commitment |
| Stripe Payments Europe Ltd. / Stripe Inc. | Subscription billing, metered usage, payment processing | Ireland (EU) and United States | EU SCCs Module 3 + Stripe's DPF certification |
| Resend Inc. | Transactional email delivery (magic links, billing receipts) | Resend EU region (eu-west-1, Ireland) | Within EU — minimal data exposure (email addresses + message content) |
| Sentry (Functional Software, Inc.) | Error and exception monitoring (no XML payload data) | United States (with EU region opt-in) | EU SCCs Module 3 + DPF certification |
| GitHub, Inc. (Microsoft Corporation) | Source-code hosting, CI/CD, npm/PyPI/Go release artifacts | United States | EU SCCs + DPF certification (Microsoft) |
Subprocessors NOT used
For clarity:
- OpenAI / Anthropic / Google / Meta: not used for any customer-facing data path. Validation runs on a self-hosted Schematron engine.
- Marketing analytics with cookies: not used. We use cookieless server-side analytics.
- Lead-tracking pixels: not used.
Notification of changes
Subscribers can opt in to subprocessor change notifications by emailing privacy@eleata.io with subject line "subscribe subprocessor updates". We send updates 30 days before any new subprocessor begins processing your data, giving you the opportunity to object for reasonable data-protection reasons.
Data flows summary
- HTTP request path: client → Cloudflare EU edge (TLS terminates) → Cloudflare Tunnel → eleata origin server in Argentina (under EU adequacy decision).
- XML payloads: stored only on the Argentine origin and auto-deleted < 72 h.
- Account data: Argentine origin database (no replication to third parties).
- Email contents: Resend (eu-west-1, Ireland).
- Error reports: Sentry (US/EU) — sanitised, no XML body.
- Source code: GitHub (US) — public repos for SDKs/Action; private repo for backend.
- Payment data: Stripe — credit-card details never reach eleata.
For questions about subprocessors, transfer mechanisms, or to request a copy of the executed SCCs and the Transfer Impact Assessment (TIA), email privacy@eleata.io.